aws.hostedzone

Filters

• config-compliance

• event

• finding

• list-item

• marked-for-op

• ops-item

• query-logging-enabled

• reduce

• shield-enabled

• tag-count

• value

query-logging-enabled

Parent base class for filters and actions.

properties:
  state:
    type: boolean
  type:
    enum:
    - query-logging-enabled
required:
- type

Permissions - route53:GetQueryLoggingConfig, route53:GetHostedZone, logs:DescribeSubscriptionFilters

shield-enabled

Base class with helper methods for dealing with ARNs of resources protected by Shield

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

Permissions - shield:ListProtections

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• set-query-logging

• set-shield

• tag

• webhook

delete

Action to delete Route 53 hosted zones.

It is recommended to use a filter to avoid unwanted deletion of R53 hosted zones.

If set to force this action will wipe out all records in the hosted zone before deleting the zone.

example:

policies:
  - name: route53-delete-testing-hosted-zones
    resource: aws.hostedzone
    filters:
      - 'tag:TestTag': present
    actions:
      - type: delete
        force: true

properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - route53:DeleteHostedZone

set-query-logging

Enables query logging on a hosted zone.

By default this enables a log group per route53 domain, alternatively a log group name can be specified for a unified log across domains.

Note this only applicable to public route53 domains, and log groups must be created in us-east-1 region.

This action can optionally setup the resource permissions needed for route53 to log to cloud watch logs via set-permissions: true, else the cloud watch logs resource policy would need to be set separately.

Its recommended to use a separate custodian policy on the log groups to set the log retention period for the zone logs. See custodian schema aws.log-group.actions.set-retention

example:

policies:
  - name: enablednsquerylogging
    resource: hostedzone
    region: us-east-1
    filters:
      - type: query-logging-enabled
        state: false
    actions:
      - type: set-query-logging
        state: true

properties:
  log-group:
    default: auto
    type: string
  log-group-prefix:
    default: /aws/route53
    type: string
  set-permissions:
    type: boolean
  state:
    type: boolean
  type:
    enum:
    - set-query-logging
required:
- type

Permissions - route53:GetQueryLoggingConfig, route53:CreateQueryLoggingConfig, route53:DeleteQueryLoggingConfig, logs:DescribeLogGroups, logs:CreateLogGroup, logs:GetResourcePolicy, logs:PutResourcePolicy

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

Permissions - shield:CreateProtection, shield:ListProtections